AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2026-05-16 · Documentation low

File: cognito/latest/developerguide/tagging.md

Summary

Added CloudFormation tagging permissions section detailing required IAM permissions for tag propagation during stack operations.

Security assessment

Documents required IAM permissions (TagResource/UntagResource) for secure CloudFormation operations. While related to access control, this is operational guidance rather than vulnerability mitigation. It enhances security documentation by clarifying permission requirements.

Diff

diff --git a/cognito/latest/developerguide/tagging.md b/cognito/latest/developerguide/tagging.md
index 799472f34..8b3853680 100644
--- a//cognito/latest/developerguide/tagging.md
+++ b//cognito/latest/developerguide/tagging.md
@@ -7 +7 @@
-Supported resourcesTag restrictionsManaging tags with the consoleAWS CLI examplesAPI actions
+Supported resourcesTag restrictionsManaging tags with the consoleAWS CLI examplesAPI actionsCloudFormation tagging
@@ -253,0 +254,28 @@ Use the following API actions to assign, view, and remove tags for identity pool
+## CloudFormation tagging permissions
+
+When you create or update Amazon Cognito user pool or identity pool resources with AWS CloudFormation, CloudFormation can propagate stack-level tags and system-level tags to your resources. To permit this tag propagation, the IAM principal that deploys the stack must have tagging permissions in addition to the resource-creation permissions.
+
+For example, to create a user pool with `cognito-idp:CreateUserPool`, the caller must also have the following permissions:
+
+  * `cognito-idp:TagResource`
+
+  * `cognito-idp:UntagResource`
+
+  * `cognito-idp:ListTagsForResource`
+
+
+
+
+Similarly, to create an identity pool with `cognito-identity:CreateIdentityPool`, the caller must also have the following permissions:
+
+  * `cognito-identity:TagResource`
+
+  * `cognito-identity:UntagResource`
+
+  * `cognito-identity:ListTagsForResource`
+
+
+
+
+Without these permissions, stack creation or update can fail when CloudFormation attempts to apply tags to the resource. If you see an access-denied error related to tagging during a stack operation, verify that your IAM policy includes these permissions.
+